From afd99762bdc22e322d875aa84e805dd0f0d5c6d7 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:45 -0700 Subject: [PATCH 1/5] update --- ...le.ec2.graviton.cpu.os_scan_allowlist.json | 395 ++++++++++++++++-- 1 file changed, 357 insertions(+), 38 deletions(-) diff --git a/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.os_scan_allowlist.json b/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.os_scan_allowlist.json index 237dcb6ed3e6..693acb62121c 100644 --- a/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.os_scan_allowlist.json +++ b/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.os_scan_allowlist.json @@ -1,45 +1,161 @@ { "linux": [ { - "description": " In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process.", - "vulnerability_id": "CVE-2024-27020", - "name": "CVE-2024-27020", + "description": "In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc9000", + "vulnerability_id": "CVE-2024-41087", + "name": "CVE-2024-41087", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { "text": "None Provided" } }, - "cvss_v3_score": 7.0, + "cvss_v3_score": 7.8, "cvss_v30_score": 0.0, - "cvss_v31_score": 7.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41087.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41087 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", + "vulnerability_id": "CVE-2022-48791", + "name": "CVE-2022-48791", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-48791.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2022-48791 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times.", + "vulnerability_id": "CVE-2024-41046", + "name": "CVE-2024-41046", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41046.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41046 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", + "vulnerability_id": "CVE-2024-39494", + "name": "CVE-2024-39494", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-27020.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39494.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-27020 - linux", + "title": "CVE-2024-39494 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", + "vulnerability_id": "CVE-2024-42154", + "name": "CVE-2024-42154", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 9.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 9.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "CRITICAL", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42154.html", + "source": "UBUNTU_CVE", + "severity": "CRITICAL", + "status": "ACTIVE", + "title": "CVE-2024-42154 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: bpf: Fix hashtab overflow check on 32-bit arches The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup.", - "vulnerability_id": "CVE-2024-26884", - "name": "CVE-2024-26884", + "description": "A out-of-bound vulnerability is found in the jfs subsystem. When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. This may lead to system crash.", + "vulnerability_id": "CVE-2024-40902", + "name": "CVE-2024-40902", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -51,24 +167,24 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26884.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-40902.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26884 - linux", + "title": "CVE-2024-40902 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix deadlock in usb_deauthorize_interface() Among the attribute file callback routines in drivers/usb/core/sysfs.c, the interface_authorized_store() function is the only one which acquires a device lock on an ancestor device: It calls usb_deauthorize_interface(), which locks the interface's parent USB device. The will lead to deadlock if another process already owns that lock and tries to remove the interface, whether through a configuration change or because the device has been disconnected. As part of the removal procedure, device_del() waits for all ongoing sysfs attribute callbacks to complete. But usb_deauthorize_interface() can't complete until the device lock has been released, and the lock won't be released until the removal has finished. The mechanism provided by sysfs to prevent this kind of deadlock is to use the sysfs_break_active_protection() function, which tells sysfs not to wait for the attribute callback. Reported", - "vulnerability_id": "CVE-2024-26934", - "name": "CVE-2024-26934", + "description": "In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.", + "vulnerability_id": "CVE-2024-41049", + "name": "CVE-2024-41049", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -80,24 +196,24 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26934.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41049.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26934 - linux", + "title": "CVE-2024-41049 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\") 1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_", - "vulnerability_id": "CVE-2024-26882", - "name": "CVE-2024-26882", + "description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis.", + "vulnerability_id": "CVE-2024-42104", + "name": "CVE-2024-42104", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -109,24 +225,53 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26882.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42104.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26882 - linux", + "title": "CVE-2024-42104 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_p", - "vulnerability_id": "CVE-2024-26898", - "name": "CVE-2024-26898", + "description": "In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 d", + "vulnerability_id": "CVE-2024-39487", + "name": "CVE-2024-39487", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.1, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.1, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39487.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39487 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object \"intf\". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object \"intf\". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree.", + "vulnerability_id": "CVE-2024-39495", + "name": "CVE-2024-39495", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" }, "remediation": { "recommendation": { @@ -138,24 +283,24 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26898.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39495.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26898 - linux", + "title": "CVE-2024-39495 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem.", - "vulnerability_id": "CVE-2024-26883", - "name": "CVE-2024-26883", + "description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.", + "vulnerability_id": "CVE-2024-36978", + "name": "CVE-2024-36978", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -167,11 +312,185 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26883.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-36978.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-36978 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", + "vulnerability_id": "CVE-2024-42224", + "name": "CVE-2024-42224", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42224.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42224 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42093", + "name": "CVE-2024-42093", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42093.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42093 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", + "vulnerability_id": "CVE-2024-38570", + "name": "CVE-2024-38570", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-38570.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-38570 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "vulnerability_id": "CVE-2024-42160", + "name": "CVE-2024-42160", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42160.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42160 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42094", + "name": "CVE-2024-42094", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42094.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42094 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", + "vulnerability_id": "CVE-2024-42228", + "name": "CVE-2024-42228", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.0, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.0, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42228.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26883 - linux", + "title": "CVE-2024-42228 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." } ] From 984afeea146370d4c52995427a0340de808d0588 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:46 -0700 Subject: [PATCH 2/5] update --- ...rfile.ec2.graviton.cpu.overall_history.txt | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.overall_history.txt b/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.overall_history.txt index ba1ec438fd02..19ae64b0fc08 100644 --- a/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.overall_history.txt +++ b/tensorflow/inference/docker/2.14/py3/Dockerfile.ec2.graviton.cpu.overall_history.txt @@ -40,6 +40,45 @@ apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git l #### Patch contents for patch-12: sha256:84a10cf80d12817ac0092b270130d78470b8fcdf18b15c29c2bee7d17b45d87f #### pip install idna==3.7 requests==2.32.3 urllib3==2.2.2 apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget -#### Current Patch contents #### +#### Patch contents for patch-13: sha256:14204cb7079c0ab5a2ae8ed58984e0f13db722a64b52986163183a4513317a0e #### pip install idna==3.7 requests==2.32.3 urllib3==2.2.2 apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-14: sha256:8318829aae4ffb15852a5fe98c4244fdf021a737f536451d04278d93df4f2e13 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-15: sha256:1856fa2a5394eafa6321e5d2377095ca6768ab6b80d7e1ae0beae479acf7f695 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==71.0.1 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-16: sha256:e00ddefdfe842e1b1ddca3bc9f14b90e3694280ae85e44eb4a5d645ce897c779 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==71.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-17: sha256:c5788730c5425bb1616647434326a2cea3f5e9966748da36cc6239f60d1a4b96 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.0.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-18: sha256:31a9b66749bae6abe43621876caf30738027e9266618ff807380a0d88932c44f #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-19: sha256:0fb128505c3703b48389ccc7b6087147e26f94c75168b42d91d56430a755b0b7 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-20: sha256:4ec94322b70c1d5dafaf2ba1b1fc654757a7078f2d5c35277b99f74760e351d0 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-21: sha256:324e4271444d98ca74e1da6d7de29a85f5971c2bbeb8f5443b9609fa06574543 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-22: sha256:054030afd53a9b31079c032db95277d121cb4826a4945c65fb99ce996d5a6a8b #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.2.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-23: sha256:8ff45e2e87d7a9bacc8c279299511932ba8ef3a0ac7a05c3e62fc4fe22c51fba #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.2.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-24: sha256:9c3133a50b59584e0a621394e3d1d71e96cf1ff59e20cb3383c874967a6295b2 #### +pip install certifi==2024.7.4 idna==3.8 requests==2.32.3 setuptools==73.0.1 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-25: sha256:7153f1f288bf85aa8e0af4a6d36ec63738873004ba28808460b304d7d79bbeaa #### +pip install certifi==2024.7.4 idna==3.8 requests==2.32.3 setuptools==74.0.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Current Patch contents #### +pip install certifi==2024.8.30 idna==3.8 requests==2.32.3 setuptools==74.0.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget From e1af954b7bed5c4dad8f1bc362a137e646110603 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:47 -0700 Subject: [PATCH 3/5] update --- ...emaker.graviton.cpu.os_scan_allowlist.json | 391 ++++++++++++++++-- 1 file changed, 355 insertions(+), 36 deletions(-) diff --git a/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.os_scan_allowlist.json b/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.os_scan_allowlist.json index 76b03406eaac..c6dc7b23134b 100644 --- a/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.os_scan_allowlist.json +++ b/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.os_scan_allowlist.json @@ -1,16 +1,16 @@ { "linux": [ { - "description": " In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_p", - "vulnerability_id": "CVE-2024-26898", - "name": "CVE-2024-26898", + "description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.", + "vulnerability_id": "CVE-2024-36978", + "name": "CVE-2024-36978", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -22,24 +22,24 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26898.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-36978.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26898 - linux", + "title": "CVE-2024-36978 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix deadlock in usb_deauthorize_interface() Among the attribute file callback routines in drivers/usb/core/sysfs.c, the interface_authorized_store() function is the only one which acquires a device lock on an ancestor device: It calls usb_deauthorize_interface(), which locks the interface's parent USB device. The will lead to deadlock if another process already owns that lock and tries to remove the interface, whether through a configuration change or because the device has been disconnected. As part of the removal procedure, device_del() waits for all ongoing sysfs attribute callbacks to complete. But usb_deauthorize_interface() can't complete until the device lock has been released, and the lock won't be released until the removal has finished. The mechanism provided by sysfs to prevent this kind of deadlock is to use the sysfs_break_active_protection() function, which tells sysfs not to wait for the attribute callback. Reported", - "vulnerability_id": "CVE-2024-26934", - "name": "CVE-2024-26934", + "description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", + "vulnerability_id": "CVE-2024-42160", + "name": "CVE-2024-42160", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -51,24 +51,24 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26934.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42160.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26934 - linux", + "title": "CVE-2024-42160 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\") 1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_", - "vulnerability_id": "CVE-2024-26882", - "name": "CVE-2024-26882", + "description": "In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object \"intf\". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object \"intf\". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree.", + "vulnerability_id": "CVE-2024-39495", + "name": "CVE-2024-39495", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -80,24 +80,140 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26882.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39495.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26882 - linux", + "title": "CVE-2024-39495 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process.", - "vulnerability_id": "CVE-2024-27020", - "name": "CVE-2024-27020", + "description": "In the Linux kernel, the following vulnerability has been resolved: net/dpaa2: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42093", + "name": "CVE-2024-42093", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42093.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42093 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: add missing check for inode numbers on directory entries Syzbot reported that mounting and unmounting a specific pattern of corrupted nilfs2 filesystem images causes a use-after-free of metadata file inodes, which triggers a kernel bug in lru_add_fn(). As Jan Kara pointed out, this is because the link count of a metadata file gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(), tries to delete that inode (ifile inode in this case). The inconsistency occurs because directories containing the inode numbers of these metadata files that should not be visible in the namespace are read without checking. Fix this issue by treating the inode numbers of these internal files as errors in the sanity check helper when reading directory folios/pages. Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer analysis.", + "vulnerability_id": "CVE-2024-42104", + "name": "CVE-2024-42104", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42104.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42104 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times.", + "vulnerability_id": "CVE-2024-41046", + "name": "CVE-2024-41046", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41046.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-41046 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() In function bond_option_arp_ip_targets_set(), if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bound read. BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418 Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107 CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc1/0x5e0 mm/kasan/report.c:475 kasan_report+0xbe/0xf0 mm/kasan/report.c:588 strlen+0x7d/0xa0 lib/string.c:418 __fortify_strlen include/linux/fortify-string.h:210 [inline] in4_pton+0xa3/0x3f0 net/core/utils.c:130 bond_option_arp_ip_targets_set+0xc2/0x910 d", + "vulnerability_id": "CVE-2024-39487", + "name": "CVE-2024-39487", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.1, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.1, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39487.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39487 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", + "vulnerability_id": "CVE-2024-42228", + "name": "CVE-2024-42228", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" }, "remediation": { "recommendation": { @@ -109,24 +225,227 @@ "cvss_v31_score": 7.0, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-27020.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42228.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42228 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: Avoid explicit cpumask var allocation on stack For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask variable on stack is not recommended since it can cause potential stack overflow. Instead, kernel code should always use *cpumask_var API(s) to allocate cpumask var in config-neutral way, leaving allocation strategy to CONFIG_CPUMASK_OFFSTACK. Use *cpumask_var API(s) to address it.", + "vulnerability_id": "CVE-2024-42094", + "name": "CVE-2024-42094", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42094.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42094 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", + "vulnerability_id": "CVE-2022-48791", + "name": "CVE-2022-48791", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-48791.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2022-48791 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", + "vulnerability_id": "CVE-2024-42154", + "name": "CVE-2024-42154", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 9.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 9.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "CRITICAL", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42154.html", + "source": "UBUNTU_CVE", + "severity": "CRITICAL", + "status": "ACTIVE", + "title": "CVE-2024-42154 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "A out-of-bound vulnerability is found in the jfs subsystem. When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. This may lead to system crash.", + "vulnerability_id": "CVE-2024-40902", + "name": "CVE-2024-40902", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-40902.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-40902 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", + "vulnerability_id": "CVE-2024-39494", + "name": "CVE-2024-39494", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-39494.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-39494 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", + "vulnerability_id": "CVE-2024-42224", + "name": "CVE-2024-42224", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-42224.html", + "source": "UBUNTU_CVE", + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-42224 - linux", + "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." + }, + { + "description": "In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.", + "vulnerability_id": "CVE-2024-41049", + "name": "CVE-2024-41049", + "package_name": "linux", + "package_details": { + "file_path": null, + "name": "linux", + "package_manager": "OS", + "version": "5.4.0", + "release": "193.213" + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "cvss_v3_score": 7.8, + "cvss_v30_score": 0.0, + "cvss_v31_score": 7.8, + "cvss_v2_score": 0.0, + "cvss_v3_severity": "HIGH", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41049.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-27020 - linux", + "title": "CVE-2024-41049 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem.", - "vulnerability_id": "CVE-2024-26883", - "name": "CVE-2024-26883", + "description": "In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Fix double free on error If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc9000", + "vulnerability_id": "CVE-2024-41087", + "name": "CVE-2024-41087", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -138,24 +457,24 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26883.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-41087.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26883 - linux", + "title": "CVE-2024-41087 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." }, { - "description": " In the Linux kernel, the following vulnerability has been resolved: bpf: Fix hashtab overflow check on 32-bit arches The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup.", - "vulnerability_id": "CVE-2024-26884", - "name": "CVE-2024-26884", + "description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", + "vulnerability_id": "CVE-2024-38570", + "name": "CVE-2024-38570", "package_name": "linux", "package_details": { "file_path": null, "name": "linux", "package_manager": "OS", "version": "5.4.0", - "release": "187.207" + "release": "193.213" }, "remediation": { "recommendation": { @@ -167,11 +486,11 @@ "cvss_v31_score": 7.8, "cvss_v2_score": 0.0, "cvss_v3_severity": "HIGH", - "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-26884.html", + "source_url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-38570.html", "source": "UBUNTU_CVE", "severity": "HIGH", "status": "ACTIVE", - "title": "CVE-2024-26884 - linux", + "title": "CVE-2024-38570 - linux", "reason_to_ignore": "Package and its binaries cannot be upgraded further. Packages: linux-libc-dev have been upgraded." } ] From fd7f33cc2fa3a365ce367b75cbffb88e4556e840 Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:48 -0700 Subject: [PATCH 4/5] update --- .../Dockerfile.sagemaker.graviton.cpu.py_scan_allowlist.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.py_scan_allowlist.json b/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.py_scan_allowlist.json index ac17cb8ea259..ebdc47d98132 100644 --- a/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.py_scan_allowlist.json +++ b/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.py_scan_allowlist.json @@ -1,4 +1,5 @@ { "67599": "** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.", - "71600": "[Package: gunicorn] Conflicts for: gunicorn" + "71600": "[Package: gunicorn] Conflicts for: gunicorn", + "72780": "[Package: gunicorn] Conflicts for: gunicorn" } \ No newline at end of file From 0b89d54ab8c3715f9bcba624d9044da979cfd26f Mon Sep 17 00:00:00 2001 From: AWS Deep Learning Infrastructure <57232265+aws-dlinfra-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 10:30:49 -0700 Subject: [PATCH 5/5] update --- ...sagemaker.graviton.cpu.overall_history.txt | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.overall_history.txt b/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.overall_history.txt index 29950a0f4893..fc7d07247b4f 100644 --- a/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.overall_history.txt +++ b/tensorflow/inference/docker/2.14/py3/Dockerfile.sagemaker.graviton.cpu.overall_history.txt @@ -40,6 +40,45 @@ apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git l #### Patch contents for patch-12: sha256:d367fcf06f3d3010ee2cd9580cc4457f5d7f4a3f08f04fc5eab27edd29c0c092 #### pip install idna==3.7 requests==2.32.3 urllib3==2.2.2 apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget -#### Current Patch contents #### +#### Patch contents for patch-13: sha256:70fcfff597244319857cd9387c2764c1a43270b4e2eec73c3884e6aee0c505b7 #### pip install idna==3.7 requests==2.32.3 urllib3==2.2.2 apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-14: sha256:75cd7a0e51e9e2c111b1ad98c155822a8b3c06d99cf94feb51a226f5f5975941 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libmount1 libnghttp2-14 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-15: sha256:7ff60e414e5d265e4ae12b97434c10de1e92f36631997cd90e94183b5ab98b38 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==71.0.1 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-16: sha256:d2ad07c16b80268acccfa345f9b5c697f0f025f01894e02e52f261ec119a0730 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==71.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-17: sha256:db48f7b8d9b7e5ae21d0963845ab4a4621c689f1d8ab4f351273d0b5942df400 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.0.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-18: sha256:398079cb604aa52b9532e103736b04188fb4c540892b1b5fdaac4eec9920c44c #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-19: sha256:a19bdadbee5b3fa154a6aad8c90bf775a80579249af62ab613de88278a59df5e #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-20: sha256:8c317a1b2320b0eed17301acade0a438efa40c6b08fbdd2eb01b3a04004eac9f #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgtk-3-0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-21: sha256:30dfd44b1c66e2f72a8678bdf140d90c6e84ac05060eccd6f7ad101b587e12c9 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.1.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-22: sha256:da38aacc67646ed2294e483385c159c0e6991f6ff9bd5105c7dd8dc56bae770d #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.2.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-23: sha256:800cf8c1c774d287b714f471ae111e3fad7bde840c84678f92f77e028fcaccc1 #### +pip install certifi==2024.7.4 idna==3.7 requests==2.32.3 setuptools==72.2.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-24: sha256:3a91f580fb537dc9e46af403fb7c5675b6c404e2d8e16632ae64f6042b8478b2 #### +pip install certifi==2024.7.4 idna==3.8 requests==2.32.3 setuptools==73.0.1 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Patch contents for patch-25: sha256:172b93c333c3daa6eb68aaf34d6f2c224355e025d26825608c0ddaa7253fa99a #### +pip install certifi==2024.7.4 idna==3.8 requests==2.32.3 setuptools==74.0.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget +#### Current Patch contents #### +pip install certifi==2024.8.30 idna==3.8 requests==2.32.3 setuptools==74.0.0 urllib3==2.2.2 +apt-get update && apt-get install -y --only-upgrade bsdutils curl fdisk git-man git imagemagick-6-common libblkid1 libc-bin libc-dev-bin libc6-dev libc6 libcups2 libcurl3-gnutls libcurl4 libfdisk1 libgdk-pixbuf2.0-0 libglib2.0-0 libgnutls30 libgssapi-krb5-2 libgtk-3-0 libk5crypto3 libkrb5-3 libkrb5support0 libmagickcore-6.q16-6 libmagickwand-6.q16-6 libmount1 libnghttp2-14 libpython3.8-minimal libpython3.8-stdlib libpython3.8 libsmartcols1 libssl1.1 libtiff5 libuuid1 linux-libc-dev mount util-linux uuid-dev wget